HIPS Series > Security Issues for Work/Workers Off-Site

How to take this course

More and more workers today conduct work activities outside of their regular offices -- in their organization's remote facilities, their own homes, or just plain outside.  Learning to protect the computing devices and media you use in such "off-site" environments is a critical part of information security training. 

The good news is that you can use essentially the same security measures as in office environments.   What you learn in the other security courses in this series applies to off-site environments.

The bad news is two-fold:  (1) You will generally have much more responsibility for doing those things yourself, because of reduced access to a support staff when off-site.  And (2) the need to do them will generally be greater, given the relative riskiness of out-of-office environments.

There are three major categories of risk to consider, related to threats from other humans, the environment itself, and failures in computing devices themselves.

• Humans can present a direct physical threat when they steal a device or media.  They can also present a threat through "technical" attacks, using malicious software or phishing scams that lead to corrupted, erased or stolen computer data. 
   
• Environmental threats can come in the cataclysmic form of earthquakes, fires, floods, hurricanes and tornadoes, or something as mundane as a spilled cup of coffee.
   
• Devices themselves can be a source of risk, because of malfunctioning software or hardware.  A simple hard disk failure, for example, can cost you all your data in an instant.

Successful security in any environment requires being realistic about the risks you face, and responding with security measures that are appropriate and reasonable under the circumstances.

It is conventional to break down security into three categories too -- namely, physical, technical and administrative measures.  We will discuss each briefly in the following sections.  For fuller treatment in context, see the other security series courses.

While you may be tired of reading it, we must reiterate that the single most important protection for any computing or storage device is keeping it in a secure physical space.

Locked doors, alarm systems, video surveillance, human guards, and all the other elements of physical security go a long way toward securing modern offices and their contents.  At home or other off-site locations, you should replicate as many of these as the circumstances make reasonable. 

That means at minimum a locked door -- or locked container, like a filing cabinet -- between your computer/media and the outside world.  If you can add an alarm system, watch-dog or watch-cat, or other layers of physical security then so much the better.  If the environment is risky, or your device contains particularly sensitive information, those additional steps may be essential.

Don't let a preoccupation with theft blind you to other risks.  Insurance claim statistics suggest that environmental threats are much more likely to compromise a computer.  Such threats don't usually cause a confidentiality breach.  But, like a hardware or software failure, environmental threats can make critical data unavailable to you.

The solution for the latter problems is keeping secure backup copies.  But once you make backups, you must take steps to attend to their physical protection as well.

"Technical" measures to protect your computer include:

• keeping the operating system software updated;
   
• keeping "applications" software updated, particularly that used for email and web browsing;
   
• installing anti-virus and anti-spyware software (and keeping those updated);
   
• installing/enabling a software or hardware firewall, or other intrusion detection/prevention measures;
   
• using passwords, biometric or toke-based authentication to protect the system itself, and particular applications or file directories; and
   
• using encryption to protect particularly sensitive data.

We discuss these measures in greater detail in the other courses.   The important difference for off-site environments is, again, that you are often the person with the responsibility for implementing these measures.  In the office, your technical support staff will usually have measures in place to protect both your individual system and the network to which it connects.

Off-site remote access is typically achieved via an Internet Service Provider (ISP) network.  Portable devices may also use cellular providers' networks.   Such service providers may offer some protective services, such as network-level antivirus protection, but you will also need to attend to the measures on you own systems.

You are not (entirely) alone in this task:  Your organization's technical staff should at minimum be able to provide advice about appropriate measures, and perhaps also provide some tools (such as access to free or low-cost protective software).

Administrative security refers to the policies and procedures of an organization -- that specify who may do what, and in what contexts.  It may seem odd to think of "policies and procedures" in an environment as informal as your home.  But whatever you call them, you need to think about constraints on computing behaviors while operating off-site.

We've already covered a couple of "policies" above, though we didn't use that language:  You must have appropriate and reasonable physical security measures in place.  Ditto technical security measures. 

You should have policies about usage of any systems that operate off-site.  For example, inherently risky activities like peer-to-peer (P2P) file sharing and freeware downloading are always off-limits for a machine you use for work.  Less hazardous activities, like general Web browsing, can be safe as long as your browser has appropriate security settings.  And so on.

You should also have policies about users.  If you keep sensitive data on your system, you should generally not allow access to it by others in your household, even if you have measures like passwords in place.   While the other persons might not be able to get to your passworded data, they could still do something that puts it at risk (like initiating a download that contains spyware).

You may even need policies about the data itself.  Many organizations discourage keeping sensitive information on off-site computers.  If you need it, you must access it over a network connection, using communications security measures like a VPN.

The rules for off-site information safety are not difficult.  Remembering to practice them can be hard -- because it often requires extra effort and attention.  It's well worth it.  Ask anyone who has had critical data lost, stolen or damaged.

(1) Keep all out-of-office devices as physically secure as possible.  With you, or nearby, is best.  Locked up, if not with you.

(2) Install/enable appropriate technical security measures.  If you're not sure what to do, see if your organization's IT security staff can provide advice.

(3) Minimize the amount of sensitive data on any out-of-office device.  Report the loss/theft of any device containing sensitive data.

(4) Keep a backup copy of any data that would be difficult to replace.

(5) Take appropriate steps for secure disposal when the device is no longer needed.

•  •  •  •  •

Help us make this course better -- take the online course evaluation. The quiz for this course is here.

•  •  •  •  •